.NET Reactor encryption vs obfuscation

Question

I have a requirement to protect our assemblies against reverse engineering, to lessen the risk of IP theft or license hacks. .NET Reactor looks powerful and we already have a license for it.

Reading through the documentation it seems there are several mechanisms for preventing decompilation other than obfuscation. I've read that obfuscation can foul up serialization, which a big part of our system, and I am hoping to avoid it completely.

I'm mainly interested in NecroBit, which claims to encrypt the CIL, making it "impossible to decompile/reverse engineer." It seems to me that if this is true, obfuscation or any other settings would be pointless.

Can any experienced .NET Reactor users give any more practical explanation of the various options and/or suggest a good permutation for a serialized system? What are some good tools for testing this software's claims?

Answer 1

As long as the corresponding classes are marked as serializable you can tell .NET Reactor to exclude this classes from obfuscation:

Answer 2

Hopefully this helps some other people using .NET Reactor or similar tools. I'm aware the limitations of any tool. The goal was to reduce the risk of licensing hacks as much as possible with minimal effort. My company has been burned before and the boss wanted it.

Our project in particular is a WPF desktop using Prism. I found when I tried to Merge my assemblies into a single fat exe, some of my interface registrations were failing to resolve in the Unity container. We decided it was ok to protect each dll individually rather than fight with this. Once I did that this tool worked nicely. I literally checked every protection option for the desktop.

Our services run SignalR hubs in a self-hosted OWIN process. In this case the Native EXE File option would not work. We got Bad Image Format exceptions when we ran the services. Otherwise all options checked.

Beyond that I ran into some spotty issues where we were using reflection in the form of Type.GetMethod(string). I had to exclude a few methods and classes with an ObfuscationAttribute.

I was anticipating issues with JSON serialization but didn't get any. Everything just worked :)

Answer 3

I have been using netreactor for many years. I use the iserialization interface together with a serialization binder to get around obfuscation etc. It works through every protection method that Netreactor has.

        Stream s = null;

        BinaryFormatter b = new BinaryFormatter();
        Binder CB = new Binder();
        b.Binder = CB;

        try
        {
            s = File.Open(fileName, FileMode.OpenOrCreate);
            //to serialize
            b.Serialize(s, yourObject);
            // to deserialize
            yourObject = (YourClass)b.Deserialize(s);
        }
        catch
        {

        }


        finally
        {
            s.Close();
        }

    [Serializable]
    public class YourClass : System.Runtime.Serialization.ISerializable
    {
       //Explicit serialization function
       public void GetObjectData(SerializationInfo info, StreamingContext ctxt)
       {

          info.AddValue("stringVar", stringVar); 
          // and so forth...
       }

       // Deserialization
       public YourClass(SerializationInfo info, StreamingContext ctxt)
       {
          stringvar = (string)info.GetValue("stringVar", typeof(string));
          // and so forth
       }
    }
    // the serialization binder
    public class Binder : SerializationBinder
    {

       public override Type BindToType(string assemblyName, string typeName)
       {
            return System.Type.GetType(typeName); // Get it from this 
            //assembly

       }
   }